Muen

Overview

The Muen Separation Kernel is the world’s first Open Source microkernel that
has been formally proven to contain no runtime errors at the source code level.
It is developed in Switzerland by the Institute for Networked Solutions (INS)
at the University of Applied Sciences Rapperswil (HSR). Muen was designed
specifically to meet the challenging requirements of high-assurance systems on
the Intel x86/64 platform. To ensure Muen is suitable for highly critical
systems and advanced national security platforms, HSR closely cooperates with
the high-security specialist secunet Security Networks AG in Germany.

A Separation Kernel (SK) is a specialized microkernel that provides an
execution environment for components that exclusively communicate according to
a given security policy and are otherwise strictly isolated from each other.
The covert channel problem, largely ignored by other platforms, is addressed
explicitly by these kernels. SKs are generally more static and smaller than
dynamic microkernels, which minimizes the possibility of kernel failure,
enables the application of formal verification techniques and the mitigation of
covert channels.

Muen uses Intel’s hardware-assisted virtualization technology VT-x as core
mechanism to separate components. The kernel executes in VMX root mode, while
user components, so called subjects, run in VMX non-root mode. Hardware
passthrough is realized using Intel’s VT-d DMA and interrupt remapping
technology. This enables the secure assignment of PCI devices to subjects.

Muen is under active development and verification of kernel properties is
ongoing.

Features

Kernel

The following list outlines the most-prominent features of the Muen kernel:

Muen supports the hardware-accelerated virtualization of Microsoft Windows
through the use of a fully de-privileged variant of VirtualBox [vbox] running
inside a strongly isolated VM subject on top of Genode’s base-hw kernel. See
the release notes of the Genode OS Framework version 16.08 [genode_muen] for
more information about this exciting feature.

Components

The Muen platform includes re-usable components which implement common services:

Toolchain

The Muen platform includes a versatile toolchain which facilitates the
specification and construction of component-based systems in different
application domains.

The [mugenhwcfg] tool for automated hardware description generation
simplifies the addition of support for new target machines. Scheduling plans
can be generated automatically from a scheduling configuration using the
[mugenschedcfg] tool.

The Ada and SPARK packages currently available in Debian and Ubuntu are too old
to build Muen. GNAT/SPARK GPL 2017 from AdaCore’s [libre] site must be
installed instead. Extend your PATH to make the GPL compiler and tools
visible to the Muen build system (assuming that they are installed below
/opt):

$ export PATH=/opt/gnat/bin:/opt/spark/bin:$PATH

For SPARK Discovery GPL 2017 you additionally need to install the z3 and
cvc4 provers. Follow these instructions in the SPARK user guide
<<sparkug>.

Docker

There is also a ready-made Docker image which contains all necessary tools for
Muen development. You can install it using the following command:

$ docker pull codelabsch/muen-dev-env

Compilation

To build the Muen tools, RTS, kernel and example components change to the Muen
source directory and issue the following command:

$ make

This will create an image containing the example system which can be booted by
any Multiboot [mboot] compliant bootloader.

Deploy

The build system provides two ways to instantly deploy and test the created
system image.

Emulation

To ease kernel development, the Muen project makes use of emulation by
employing the Bochs IA-32 emulator [bochs]. Among many other features, Bochs
has support for multiple processors, APIC emulation and VMX extensions.

Download Bochs from its project site and issue the following commands to build
and install it with /usr/local prefix:

Issue the following command in the Muen project directory to start emulation:

$ make emulate

The Bochs emulator output is located at emulate/bochsout.txt, the Muen kernel
serial console output is written to emulate/serial.out.

As Bochs is missing IOMMU and PCI MMCONF emulation, device passthrough is
not supported for this hardware target.

Hardware

The top-level Makefile provides two convenient targets to deploy Muen to real
hardware: iso and deploy. The first creates a bootable ISO image which can
be burned on a CD-ROM or dumped on a USB stick, the second uses network boot to
shorten round-trips during development.

USB Stick

To create a bootable USB stick containing the Muen system, enter the following
commands in the top-level directory:

Network Boot

For fast deployment of the Muen system image to real hardware, the iPXE
[ipxe] boot firmware installed on a USB stick in conjunction with Intel Active
Management Technology (AMT) is used. Please refer to the amtterm [amt]
documentation on how to configure AMT on the target hardware.

To build and install iPXE with the Muen specific boot script issue the
following commands:

After initialization of the network adapter iPXE tries to download and boot the
system image from the following URL:

http://192.168.254.1:8000/muen.img

The development machine must be connected to the target hardware via an
interface with IP address 192.168.254.1. To actually serve the created system
image to the bootloader, issue the following command in the top-level Muen
directory:

$ export AMT_PASSWORD=<your AMT password>
$ make deploy

To view the output of the Muen kernel debug console use the command:

$ amtterm 192.168.254.2

If your hardware differs from the default configuration, additionally specify
the HARDWARE variable:

License

Copyright (C) 2013-2018 Reto Buerki <reet@codelabs.ch>
Copyright (C) 2013-2018 Adrian-Ken Rueegsegger <ken@codelabs.ch>
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.